Many companies are negligent about SAP security, researchers say

Researchers found many servers with old SAP applications or critical SAP administrative services exposed to the Internet

By Lucian Constantin | 19 June 13

SAP has significantly improved the security of its products over the past few years but many of its customers are negligent with their deployments, which exposes them to potential attacks that could cripple their businesses, according to security researchers.

The biggest issue is that companies expose insecure SAP services to the Internet -- not only HTTP services, but also critical administrative interfaces, Alexander Polyakov, chief technology officer at ERPScan, a developer of security monitoring products for SAP systems, said Tuesday.

Between 5 percent and 10 percent of companies that use SAP products expose critical services to the Internet that shouldn't be publicly accessible, Polyakov said. This happens because they want to enable remote management or because of improper configurations, he said.

Most of the services have vulnerabilities that can be easily attacked, Polyakov said.

Publicly available exploits exist for many SAP vulnerabilities, including some that are part of Metasploit, a popular security testing tool.

The percentage of companies with exposed SAP services differs from country to country. The situation is better in North America and Europe and worse in the Asia-Pacific region, Africa and Latin America, Polyakov said. However, even 5 percent translates to a very large number of companies, he said.

Juan Perez-Etchegoyen, the chief technology officer at Onapsis, a Cambridge, Massachusetts-based company that develops security products for ERP systems, believes that the number of companies running vulnerable SAP systems is actually higher than what Polyakov estimates and that it's growing.

"What makes this worse is the fact that many systems are exposed to vulnerabilities with public exploits that have been known for five or even ten years. The risk for these organizations is huge," he said Wednesday via email.

Another problem is the high number of publicly accessible Web servers that run outdated SAP applications. Using Google search, ERPScan researchers identified 695 unique servers with different SAP Web applications, and an additional 3,741 servers were found using the SHODAN search engine.

SAP NetWeaver J2EE and SAP NetWeaver ABAP were the most common SAP applications found on the servers. However, the most common versions of these two applications were SAP NetWeaver ABAP version 7.0 EHP 0 and SAP NetWeaver J2EE version 7.00, both of which were released in 2005.

Deployments of older versions of these products are not necessarily vulnerable if their administrators applied all patches and followed all security advice issued by SAP over the years.

However, it is more likely for an old version deployment to be more vulnerable than a new one, because newer versions of these products are more secure in their default configurations, Polyakov said.

"The real problem is not that the systems were released in 2005, because SAP still has those under maintenance and releases security patches for vulnerabilities affecting them," Perez-Etchegoyen said. "The real threat is that some companies are not being able to apply them promptly, exposing themselves to cyberattacks."

Polyakov released some data about exposed SAP services earlier this month during a presentation at the RSA Asia Pacific 2013 security conference. However, more information about the results of ERPScan's research into the state of SAP security will be released in upcoming weeks as part of a larger report, he said.

Securing SAP systems is important because interest in SAP platform security has been growing among security researchers, but also among zero-day exploit buyers and sellers, according to Polyakov's RSA presentation slides.

Potential attacks against SAP systems could be driven by different motivations, Polyakov said.

Such attacks could be used to steal financial information, corporate secrets, human resources data, supplier and customer lists for economic espionage. They could also be used to perform false transactions and modify data for fraud purposes, or they could be used to disrupt systems or modify financial reports for sabotage.

Compromising SAP servers in order to attack other types of systems connected to them is also a possibility, Polyakov said. For example, SAP servers are sometimes connected to SCADA (Supervisory Control and Data Acquisition) systems in order to receive and process data from them, he said.

SCADA systems are used to control and monitor industrial, infrastructure, and facility-based processes.

Someone who compromises a SAP system could easily launch a denial-of-service attack against a SCADA system connected to it, Polyakov said.

A cyberwar-like scenario where someone creates a computer worm to attack SAP systems and disrupt business at major companies in one particular country would also be possible, Polyakov said. Such an attack could have a significant economic impact, he said.

"Some companies still believe that the risk of an attack is low because attackers require high skills," said Mariano Nunez, CEO of Onapsis, via email. "However, with the availability of public exploits and increased exposure, the barrier for entry is much lower than organizations perceive."

Nunez noted a positive change in the last two years with leading organizations starting to protect their SAP systems against cyberattacks. However, "the unfortunate reality is that, many organizations still believe SAP Security is only about roles and profiles, and leave their systems totally exposed to technical vulnerabilities," he said.

"We'd like to thank Alexander Polyakov for increasing our awareness for this important topic," SAP spokesman Hilmar Schepp, said Tuesday via email. Polyakov has been working with SAP for several years, and thanks to the close collaboration SAP was able to provide patches for various security issues, he said.

"SAP's software and solutions meet the highest security standards," Schepp said. The company is working closely with customers on implementation issues and advises them to activate the appropriate security configurations, he said.